One Identity Active Roles Server
Connector name |
|
Connector type | Executable |
Type (UI field value) | One Identity Active Roles |
Target system versions supported / tested | The |
Connector status / support | Customer-Verified Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system. |
The following Bravura Security Fabric operations are supported by this connector (depending on your product license and version):
user change password
expire password
check password expiry
administrator reset password
unlock account
check account lock
create account
delete account
disable account
enable account
check account enabled
create group
delete group
add user to group
delete user from group
add group to group
remove group from group
get server information
add owner(user) to group
remove owner(user) from group
add owner(group) to group
remove owner(group) from group
List:
accounts
attributes
groups
members
computer objects
For a full list and explanation of each connector operation, see connector operations.
Preparation
Before you can target One Identity Active Roles Server, you must:
Provide access to Active Roles Management Shell.
Set up target system administrator(s)
Create at least one template account
Setting up access to Active Roles Management Shell
When listing accounts from Active Roles Server remotely, access to Active Roles Management Shell is required.
On the Active Roles Server:
Add the Active Roles target system administrator into following local user groups by using server manager:
Remote Desktop Users
WinRMRemoteWMIUsers__
WSS_ADMIN_WPG
Note
Local group WinRMRemoteWMIUsers__ is not installed by default in Windows later versions, such as Windows 2016. It can be added by using command:
net localgroup /add WinRMRemoteWMIUsers__Launch Active Roles Management Shell as an Administrator.
Execute the following command to enable Windows Remote Management (WinRM):
Enable-PSRemoting -ForceExecute the following command to enable Credential Security Support Provider (CredSSP) authentication on the Active Roles Server:
Enable-WSManCredSSP -Role Server
To configure the client computer where the connector(agtars) is installed:
If the connector (
agtars) is installed on Bravura Security Fabric server:Launch Windows PowerShell as an Administrator.
Execute the following command to enable Credential Security Support Provider (CredSSP) authentication:
Enable-WSManCredSSP -Role client -DelegateComputer "<ARS server name>"
If the connector (
agtars) is installed on the Active Roles Server:Install Proxy Service (
psproxyInstall Connector Pack, which should match the setup of Bravura Security Fabric server Connector Pack.
Creating a template account
Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts in One Identity Active Roles Server.
Setting up target system administrator(s)
Bravura Security Fabric uses designated account(s) on One Identity Active Roles Server to perform Bravura Security Fabric operations.
The target system administrator must be a member of the Domain Administrators group from the domain the Active Roles Server manages, and a member of the Active Roles Admin group if the connector accesses the Active Roles Server remotely.
Targeting One Identity Active Roles system
For each One Identity Active Roles Server, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):
Type is One Identity Active Roles.
Address uses options described in the table below.
Option | Description |
|---|---|
Options marked with a | |
Domain | The domain that the One Identity Active Roles Server manages. (key: domain) |
Server | The Active Roles Server hostname or IP address. (key: svr) |
OUs to list users from | List only those OUs that exist in one or more containers. (key: listOUs) |
Connect to local ARS Server | Connect to ARS server or domain controller. Default is connect to domain controller. (key: arsonly) |
Poll time after create | Time in seconds that the product server will check the Active Roles Server to confirm the new account creation. The default is 5 seconds. (key: polltime) |
Connector fail on invalid user | If the server does not find the new account within the poll time, a message will appear in the system log. (key: failOnInvalidUser) |
The address is entered as follows:
{domain=<domain name>/[;svr=<ARS server name>;][listOUs={<OUs>};][arsonly=true|false;][polltime=<N>;][failOnInvalidUser=true|false]}
Setting the administrator credentials
A One Identity Active Roles target system requires one or two administrative credentials depending on whether the connector accesses Active Roles Server locally or remotely.
If the connector accesses an Active Roles Server locally, fox example, the Active Roles Server connector is installed on Active Roles Server via proxy, the Administrator ID should be set to a domain administrator account, using the domain name followed by a backslash, then the domain administrator name, for example:
domain-name\administratorIf the connector accesses an Active Roles Server remotely, two sets of administrator credentials are required:
A domain administrator account, which is the same as above. The System password option should be checked.
A member of Active Roles Admin account.
Accessing Active Roles Server remotely requires additional configuration on both the Active Roles Server and the Bravura Security Fabric server where the Active Roles connector is installed. See Setting up access to Active Roles Management Shell .